Once you have registered your new domain (in my case marky.co) you need to go to the azure portal and follow the instructions posted here (Configuring a custom domain name for an Azure cloud service). You cannot do this on your free tier though and this where you have to chose your plan carefully. To be able to interact with Office Add-Ins I need my service to be SSL enabled.

Once you have selected a Basic plan you should get the following options

Assign your site and as the instructions stated – you can “Bring your domain” by changing the CName within your domain name provider DNS management tools.

The certificate.pfx file can then be loaded into the azure portal. When you import the certificate successfully it is displayed on the main blade automatically.

Add the SSL binding

aaaah we love the cloud….

IMPORTANT – Restart your instance and there we go

Conclusion

In this article we have seen how to deploy an instance of node.js on Azure, applied a custom domain to it, created an SSL certificate and added to an azure instance. Once this is complete you should have an SSL secured node.js instance running which can then be used for Office Add-in deployments.

“An independent Node.js Foundation built on open governance is a major industry wide event as it ensures the continued adoption and growth of one of the world’s most ubiquitous programming languages. The Node.js foundation will provide developers with a top development platform that when combined with the power of IBM Cloud and Mobile will accelerate time to application concept, deployment, and refinement. As a platinum member of the foundation, IBM looks forward to continued partnership in developing and promoting Node.js and the inevitable expansion of this vibrant community,” said Angel Diaz, Vice President, Cloud Architecture & Technology, IBM.

In this article I will demonstrate a couple of the things which can be passed through a Bluemix secure gateway, allowing us to create normal web based applications.

Introduction

In the previous article I demonstrated how to create a TLS secured hybrid Bluemix application. In this article we will look at some of the web properties/headers, cookies etc which we can pass through the gateway.

The Gateway

To demonstrate what can be passed through the gateway I am using a simple notes form to display the incoming information

The Cookie, Header and username fields are all hidden if the field value is blank

Here is my application running on node, using the secure gateway and once again accessing the domino server hosted on my laptop.

No username, no cookie, no header.

Changing the code back within the calling application we are going to add some additional information. In the following code snippet you can see that we have added some header “Marky” information.

We can now see that the user is authenticated within the bounds of the hybrid application

Pushing all this code up into Bluemix you can truly appreciate the authenticated hybrid app

Conclusion

In this article we have seen how we can push basic header information through the gateway and pseudo-demonstrate an authenticated application. There are of course multiple hurdles to overcome between this demo and a real world application, but I hope it has given you an idea for what’s possible.

In this article I will demonstrate how to secure a hybrid IBM Bluemix application using the Secure Gateway and the Mutual TLS encryption option.

Introduction

In the previous article I demonstrated how to create a sample hybrid app which was unsecure because you could just call the gateway URL and access the application behind the firewall. While this worked well as a concept demo, it is not a production feasible set up. In this article we will look at how to set up a secure tunnel to the gateway URL and then on to our application.

It took me a long time (relatively) to figure out how to make this work in my environment as I did not understand what was being accomplished by the example. I hope to provide a greater level of detail and explanation in this article.

Creating a secure gateway

Following the steps described previously we can set up a Secure Gateway within our Bluemix app. This time we are going to create a gateway which is secured with TLS encryption. As you can see from the image below, when you select the “TLS Mutual Auth” option a grey section appears underneath the form fields.

Select Auto Generate cert and Private key

Click on the + Icon at the end of the fields and you will see the new gateway created

Click on the gear icon at the end of the line and you will see an option to “Download Keys”. On selecting that a zip file will be downloaded. You will notice that I have not blurred out the port or Destination ID this time. This is because the point of this is that without those TLS Keys, knowing this information will be of no use to you. (You’re welcome).

Once the Keys are downloaded you need to add them to your node application (in my case in the root)

As you can see from the image below, the .pem files are just text files which are the key files used as part of the encryption handshake when we connect to the gateway.

Once the keys have been added to the project we are then able to create our basic app.

When we call tunnel.create we are going to create a secure tunnel from the current node server to whatever is passed in through the options object

The port on which the tunnel is created has NOTHING to do with the port of the secure gateway. This tunnel will connect a specific port on the current server to the port on the gateway server.

The tunnel itself connects to the secureGateway on port 15101 (in this case)

The port is created as part of the connection to the gateway. When the connection is complete the port is closed. This prevents someone from guessing the new port on the server and using it!

This is not the best way of doing it, it is not very flexible for a reusable, in production, service with multiple connections. The port and server should not be hard coded. They are for this example so it is easier to understand. We will look at making it generic it later.

Connecting to our backend service (simpleHTTP.js)

In this case I am demonstrating connecting to a web page, but there is no reason why you cannot connect to mysql, mongo or anything else. I have a simple http connection module which will connect to the specified webpage on the back end and return the page as a buffered string back to the original app.get(‘/secureTunnel’).

If you try that link in a browser (unlike the unsecure link in the previous article) you will get nothing but a spinning web page

The secure gateway in turn connects back into the hybrid environment (192.168.0.2:80) and gets the desired information from within the firewall

The firewalled service responds back through the secure gateway and back to the host port 8888

The response is packaged up and returned to the user’s screen (for this demo the HI Message)

The tunnel on port 8888 is then closed and cannot be accessed by anyone any more.

And we have a result locally

Which is my node server locally, connecting to the secure gateway to come BACK to my local domino server

This of course would look WAAAY more impressive it was Bluemix making the call. So I committed the code and pushed it up the the xominoKnox Bluemix repository…….et voilà

Conclusion

What I hoped to achieve in this article is a step by step explanation of how a secure tunnel is created to facilitate the secure hybrid environment. As I mentioned this hard coded version is not ideal for production yet because the keys are hard coded to the connection. With a little effort the code could be genericised to use the connection tunnel multiple secure gateways within BlueMix.

mobile.exports is node.js specific code which allows for code includes in this very manner. For more on this check out this article. Notice that (app) is passed to the function so that it properly scoped to the original code.

Back in the app.js we add a single line to require this new library and that’s it.

More fundamentally than this simple example, this is the core of how node modules (including express) work. When you “require” express or http or any other module within your node application, this is how it is put together. Kinda cool 🙂

In this article I will demonstrate how to create a sample Hybrid app running in IBM Bluemix but getting data from behind a company firewall.

Introduction

A couple of years ago the prevailing message from vendors was “move to the cloud !!!”. The thing the vendors found though, was that the companies do not necessarily want to move their “data” to the cloud. It is either too complicated, expensive, unnecessary or they just do not flat out trust their data to the cloud. All that said though they are interested in the ability to securely expose their data to the outside world without exposing any of their internal systems. This has been achieved for years using a DMZ style firewall architecture which exposes only the web server but not the database server to the outside world.

In the Cloud world this concept is called a Hybrid model – cloud app, on premises data. In this article I want to show one way which IBM has approached this in Bluemix.

Reference

I wish I had listened to Ryan Baxter, last year at MWLUG 2014. I heard him talk about this concept and I serious thought to myself – who would want to do that. Being ahead of your time, happens to the best of us. Anyway you can see how Ryan set up his environment at that time using Cast Iron here. This is an excellent video and gives a nice overview of cast iron – that said, it is not the way I am going to do it and not the way IBM wants you to do it any more. So enjoy but come back….

So let’s go through those steps one by one and explain what is going on.

1. Create and configure the Bluemix end of the gateway

Click on the Secure Gateway Service from within your Dashboard app view and you will see the configuration screen to create your first Gateway

Click Add Gateway and then you will be prompted to name your Gateway connection

Click Connect it and you will then be presented with the status screen – Not Connected

2. Install the gateway code on the machine within the firewall

The computer that you install the gateway on, inside your firewall, does not have to be the destination machine, it does however have to have access to the destination machine. Currently (April 2015) you will need to install a docker container on the machine and then inside of that the bluemix-secure-gateway can be installed. For those people without docker already, go here to get it installed.

NOTE FOR WINDOWS USERS: I had serious issues getting this installed due to the Oracle Virtual Box which has to be installed along with it. If you find that the Virtual box does not install – use this regedit hack to fix it. https://www.virtualbox.org/ticket/11349

This fixed it for me. Follow these step by step:

Uninstall Virtualbox

Uninstall Any Virtual Box Network Adaptors from Device Manager

Go into the registry at: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network

Once you have docker installed and running (Boot2Docker for windows), copy the commend below into your docker window and run it.

You will see the Connected message appear on your Secure Gateway dashboard and the tunnel connected message in the docker window.

The gateway is set up and a secure tunnel from Bluemix to my laptop (behind my office firewall) is set up.

To be clear at this point the outside world cannot access the Copper/xomino server running on my laptop from the outside world. It is just running on my laptop as normal within my development environment.

4. Configure the connection to access data behind the firewall

Next we have to create a destination (behind the firewall). Understand that the docker window is by default bridged and therefore does not know that it is running on my local computer (127.0.0.1).The IP address I have given Bluemix is the IP address of the laptop on my network.

As you can see from the image above a Cloud Host and port has been assigned. If you do this a number of times you will see that the port changes.

You will also note that I chose not to use No TLS in the connection. This means that this is NOT PRODUCTION ready. We really need to secure this so that only my application can call that URL. More on that later – but for the sake of this article/demo I am leaving it simple.

5. Use the connection

If we connect to the URL shown in the image above we can see a Domino server !!!

If we go to a specific page on that server we see this. Not much to look at I grant you, more on that in a later article.

But if we go to the gateway path – and add the “/xomino/ainx.nsf/testForm?readform” to the end of the URL – we get the exact same thing, from the exact same server, just displayed in a cloud app.

And that is very cool! Especially as it only took about 3 hours to figure this out 🙂

Conclusion

As we have seen in this article, it is relatively simple to set up a secure connection from a computer behind a firewall, and Bluemix. The example show it not yet fully secure though as anyone could call the URL and get web page from my server.

In a future article we will look at securing the connection and what else we are able to do with it.